Loading...

Lead Application Security Engineer

Ivo-inc at a glance

SEC filings mentioning "Ivo-inc": 1search EDGAR

Ivo-inc

Why join Ivo?

Every civilization runs on the same infrastructure: agreements between people who don’t fully trust each other. Sumerians pressed them into clay. Romans carved them into stone. We bury them in 80-page PDFs.

The way those agreements are reviewed hasn’t changed in four thousand years – a human reads the whole thing and tries not to miss anything. We’re building the AI that finally changes that. Ivo is the contract intelligence platform of choice for companies like Uber, Meta, Canva, IBM, and Shopify. We recently raised our Series B and have grown 800% over the last 12 months.

The Role

We’re hiring our first dedicated Lead Application Security Engineer to own the security of the Ivo platform end to end. You’ll partner directly with our Head of IT & Security and embed deeply with engineering to harden the product our customers trust with their most sensitive contracts. This is a hands-on senior IC role with broad scope: hunting bugs in our web app and APIs, reviewing security-sensitive code, running our pen test and responsible disclosure programs, threat modeling new features, and shaping how we build secure software at Ivo from the ground up.

Our platform handles legally privileged documents for some of the largest companies in the world. The security stakes are real, and so is the impact.

Responsibilities

  • Own application security across Ivo’s web app, API surface, and the systems behind them.

  • Find and fix bugs. Hunt for vulnerabilities in our own product through hands-on testing, code review, and offensive-minded experimentation, and partner with engineers to ship the fix.

  • Lead manual code review for security-sensitive changes: authentication, authorization, multi-tenancy, integrations, and customer data handling.

  • Run threat modeling with engineering as new features and products are designed, across the full product surface including LLM and agent components.

  • Manage our pen test program and ad-hoc engagements end to end. Scope work, manage vendors, triage findings, and drive remediation to closure with engineering.

  • Run our responsible disclosure program, including researcher communications, validation, payments, and ongoing relationships with trusted external researchers.

  • Build and maintain our application security tooling: SAST, DAST, SCA, secrets detection, and IaC scanning, with a strong bias toward signal over noise.

  • Embed security into the SDLC: PR-time checks, security champions, design review gates, and secure-by-default patterns engineers actually want to use.

  • Conduct deep reviews of identity and access surfaces (Firebase Auth, WorkOS, SSO, SAML, SCIM, RBAC) and partner with product on customer-facing security features.

  • Investigate suspected security issues and lead application-layer incident response alongside engineering.

  • Contribute application security input to enterprise security reviews, SOC 2 Type II, ISO 27001, ISO 42001, and customer-facing trust documentation.

  • Mentor engineers on secure coding and be the go-to expert when teams have a security question.

Who You Are

  • 4+ years in application security, product security, or offensive security at a SaaS company, including time owning security for a production platform.

  • Strong hands-on web application pen testing skills. You can find real bugs in real code, not just run scanners.

  • Deep experience reviewing code in TypeScript / Node and Python. You’re comfortable reading and writing code, not just reviewing it.

  • Strong background in web application security: OWASP Top 10, auth and authorization design (OAuth, OIDC, SAML, SSO), multi-tenant isolation, and modern API security.

  • Practical experience with cloud security in GCP and Azure, plus container and Kubernetes security (AKS or similar).

  • Experience managing pen tests, bug bounty programs, or responsible disclosure programs end to end.

  • Track record of partnering with engineering rather than blocking them. You ship paved roads, not tickets.

  • Excellent written communication. You can write a Slack post that engineers actually want to read, a finding writeup that’s genuinely actionable, and a security review that an enterprise prospect respects.

  • A strong internal sense of urgency and a bias toward shipping today rather than tomorrow.

Nice to Have

  • Experience securing AI / LLM features in production: prompt injection defenses, agent guardrails, and AI-specific threat modeling.

  • Series B or earlier experience where you built or scaled a security function from limited scaffolding.

  • OSCP, OSWE, or comparable hands-on offensive security credentials.

  • CVE credit, published research, or contributions to open-source security tooling.

  • Experience designing security as customer-facing product (SSO domain verification, SCIM, IP allowlisting, audit logging, RBAC).

  • Background supporting enterprise customers in regulated industries.

Why This Role Matters

Ivo’s customers entrust us with their most sensitive contracts. As we move further upmarket and into more regulated industries, the strength of our application security program is becoming a direct driver of enterprise revenue and a key differentiator at the deal table. This role owns the technical security of the product itself. The person who fills it will shape what “secure by default” means at Ivo for years to come.

Compensation And Benefits

  • Competitive Compensation: The USD base range for this role is $220,000 – $300,000 (+equity would be on top of this). Final offer details are determined based on experience, expertise, and overall fit.

  • Relocation and Visa Support: We also offer relocation assistance for successful applicants moving to SF, as well as support for visa and green card applications where applicable.

  • Medical benefits: Comprehensive medical, dental and vision plans to suit the needs of you and your family.

  • 401(k) Program: Plan for your future with access to our company-sponsored 401(k) program.

  • Commuter Benefits: We provide commuter benefits to help make getting to and from the office easier and more convenient.

  • Unlimited PTO: So you can take the time you need to recharge, stay healthy, and bring your best self to work.

  • Office Perks: Enjoy a vibrant Downtown San Francisco office with catered lunch provided five days a week, premium snacks and coffee, a gym located in the building, and a dog-friendly environment!

To apply for this job please visit jobs.ashbyhq.com.

Terms used in this posting

PTO
Paid Time Off — vacation, personal, or sick days you can take while still being paid.
equity
Ownership stake in the company, usually in the form of stock options or RSUs, offered in addition to salary.
relocation assistance
The employer may help cover some or all costs of moving to take the job, such as moving expenses or temporary housing.

Working in San Francisco, California

Weather right now in San Francisco, California: checking… · Local time: · Air quality: · Daylight: · UV index: · Wind:

San Francisco, officially the City and County of San Francisco, is the fourth-most populous city in California and the 17th-most populous in the United States, with a population of 826,079 in 2025. Among U.S. cities with a population of 200,000 or more, San Francisco is ranked first by per capita income, second by population density, and sixth by aggregate income as of 2024. Some 4.6 million residents live in the city's metropolitan statistical area, which is the 13th-largest in the United States. Around 9.2 million live in the San Jose–San Francisco–Oakland combined statistical area, the fift

California is a U.S. state in the Western United States that lies on the Pacific Coast. It borders Oregon to the north, and Nevada and Arizona to the east; it also shares an international border with the Mexican state of Baja California to the south. With over 39 million residents across an area of 163,696 square miles (423,970 km2), it is the largest U.S. state by population and third-largest by

🇺🇸 Relocation safety for US: Exercise Normal Cautionvia Warnely, CC BY 4.0

National unemployment rate in US: 4.2%via World Bank

Recent seismic activity: 2 earthquakes (M4.5+) within 200km in the last 6 months — largest M5.6 near 11 km N of Redwood Valley, CA. via USGS

  • Elevation 38m (125 ft)

Source: Wikipedia (state)

Job details above are provided by the employer/source. The sections on this page are compiled from public data sources with AI assistance.

Accommodations: if you need a workplace accommodation to apply for or perform this job, see ADA.gov or EEOC.gov for guidance on your rights and how to request one.

Add application deadline to calendar

Keep exploring on Get A Job.ai

Not quite the right fit? Your next opportunity is a click away.

Hiring instead? Post a job and reach candidates searching right now.